What is the proper configuration for AWS SQS/SNS i...

larry_youngquis · ‎02-16-2015

We have multiple sub-accounts that aggregate their cloudtrail data into a single S3 bucket stored at the master account level.

What, if any, SQS and SNS configurations need to be done at the sub-account level? Or, is it only defined for the master account?

scpack · ‎04-29-2016

Hey Larry,

I doing this same thing, Aggregating CloudTrail for ingest via S3. Rather than using the CloudTrail input type with the SQS queue name I'm using the S3 input on the bucket. Simplifies deployment a lot, but you have to keep in mind that the events will only be as up to date as your S3 polling interval.

jcoates_splunk · ‎02-16-2015

You'll need a modular input instance per queue. I don't think the bucket aggregation will matter, though it might make permissions more entertaining.

jcoates_splunk · ‎05-09-2015

This answer was assuming that you would manually aggregate several CloudTrail accounts so that you get a separate XML file from each account's events. However, if you've linked the accounts to each other you'll actually get a single XML file per period with multiple accounts and multiple events in it. Add-on for AWS version 1.1.1 was just posted Thursday and supports this scenario.

What is the proper configuration for AWS SQS/SNS in a consolidated account environment?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio